UNIT -1

Short Questions (2 Marks)

1. Briefly describe the evolution of information security.

 1960s - Early Computing: Focus on securing physical locations and hardware.

 1970s - Rise of Networked Computers: Emergence of network security protocols.
 1980s - Personal Computers: Increased awareness of malware and the need for
antivirus software.
 1990s - Internet Expansion: Development of firewalls and encryption protocols.
 2000s - Cybersecurity Era: Emphasis on data protection laws, identity theft, and
advanced persistent threats.
 2010s - Cloud and Mobile Computing: Focus on cloud security, mobile device
management, and IoT security.
 2020s - AI and Machine Learning: Integration of AI in threat detection and response.

2. What are the key aspects of the NSTISSC Security Model?

 Confidentiality: Protecting information from unauthorized disclosure.

 Integrity: Ensuring the accuracy and reliability of information.
 Availability: Guaranteeing timely and reliable access to information.
 Authentication: Verifying the identity of users accessing information.
 Non-repudiation: Ensuring that actions or commitments cannot be denied later.

3. Name critical components of an information system.

 Hardware: Includes servers, computers, routers, switches, and data storage devices.
 Software: Encompasses operating systems, applications, and security tools.
 Data: The core element, including databases, files, and multimedia.
 Networks: Communication systems like LAN, WAN, and the internet.
 People: Users, IT staff, and management who interact with the system.
 Processes: Procedures and policies governing the use and security of the system.

4. Why is it important to balance security and access in an information system?

 User Productivity: Excessive security measures can hinder user efficiency and
productivity.
 System Usability: Maintaining a user-friendly environment while ensuring security.
 Data Accessibility: Ensuring that data is available to authorized users when needed.
 Threat Mitigation: Balancing the need to protect against potential security threats.
 Regulatory Compliance: Meeting legal requirements without overburdening system
access.

5. Why is secure software development essential in modern information systems?

  Preventing Security Breaches: To avoid vulnerabilities that can lead to data theft or
system compromise.
 Protecting User Data: Ensuring the confidentiality and integrity of user data.
 Maintaining System Integrity: To prevent unauthorized changes or disruptions in
system functionality.
 Legal and Regulatory Compliance: Adhering to standards like GDPR, HIPAA, etc.
 Building Trust: Establishing and maintaining trust among users and stakeholders.
 Cost Efficiency: Preventing breaches can be less costly than addressing security
incidents post-development.

UNIT-2

Short Questions (2 Marks)

1. Name the major legal bodies involved in information security.

 International Bodies:
 Interpol: Facilitates international police cooperation.
 International Organization for Standardization (ISO): Develops standards like ISO/IEC
27001 for information security management.
 United States:
 Federal Trade Commission (FTC): Enforces laws against deceptive and unfair business
practices.
 National Institute of Standards and Technology (NIST): Develops cybersecurity standards
and guidelines.
 European Union:
 European Data Protection Board (EDPB): Oversees the application of the General Data
Protection Regulation (GDPR).

2. What is the role of ethics in information security?

 Trust Building: Establishes trust between users and organizations.

 Data Handling: Guides the ethical handling of sensitive and personal data.
 Decision Making: Influences ethical decision-making in security practices.
 Professional Conduct: Sets standards for professional conduct among security practitioners.
 Legal Compliance: Complements legal requirements by addressing areas not covered by law.

3. Identify the key element in the process of risk identification in information security.

 Asset Identification: Recognizing what needs protection, such as data, hardware, and software.
 Threat Recognition: Identifying potential threats that could exploit vulnerabilities.
 Vulnerability Assessment: Determining weaknesses in the system that could be exploited.
 Environmental Study: Understanding the external and internal environment that could impact
security.
4. Define the common risk control strategy used in information security.

 Preventive Controls: Aimed at preventing security incidents (e.g., firewalls, access controls).
 Detective Controls: Designed to detect and identify security incidents (e.g., intrusion detection
systems).
 Corrective Controls: Implemented to correct any issues after a security incident (e.g., patch
management).
 Deterrent Controls: Intended to discourage security violations (e.g., security policies, legal
consequences).

5. What is the main difference between quantitative and qualitative risk control practices?

 Quantitative: Involves numerical values and metrics to assess risk (e.g., statistical methods, cost-
benefit analysis).
 Qualitative: Based on subjective analysis and expert opinions (e.g., risk matrices, scenario
analysis)

6. Explain the professional issue commonly faced in the field of information security.

 Skill Gap: The industry often faces a shortage of skilled professionals.

 Rapid Technological Changes: Keeping up with fast-evolving technologies and threats.
 Ethical Dilemmas: Balancing privacy, surveillance, and security.
 Stress and Burnout: High-pressure environment leading to professional burnout.

7. What is the primary goal of risk assessment in information security?

 dentifying Potential Risks: Understanding the threats and vulnerabilities that could impact the
organization.
 Evaluating Impact and Likelihood: Assessing the potential impact and likelihood of identified
risks.
 Prioritizing Risks: Determining which risks need immediate attention and resources.
 Informing Risk Mitigation Strategies: Guiding the development of strategies to mitigate or
accept risks.